IT professionals failing to address IoT security

An increasing number of IT professionals in the UK and US are unconcerned and inattentive about the growing risks of cyber criminals attacking the Internet of Things.

A survey, conducted by security firm Tripwire and Atomik Research, found that only 8% of IT workers in energy firms are concerned about cyber criminals attacking industrial controllers, while 88% lack confidence in the secure configuration of industrial controllers.

The survey of 404 IT professionals and 302 executives from retail, energy and financial services firms, also found that less than a quarter overall are confident in the secure configuration of IoT devices that are already on enterprise networks.

These include point-of-sale devices, internet phones, sensors for physical security, smart controllers for lights and HVAC, and industrial controllers.

It also found that just 46% believe the risks associated with the IoT have the potential to become the most significant risks on their networks.

"The reason many enterprises are relatively ‘unconcerned’ about the security of IoT devices is because they misunderstand the risk. Frequently, organisations believe that they have nothing of value that would interest an attacker – this is rarely true," Tripwire’s security development manager Chris Conacher said.

"For attackers there is always something to be gained, and they’re not always looking for data that has financial value. From the theft of information or services that can be used to add a veneer of legitimacy to phishing campaigns or user credentials that can be used to gain access to a connection point from which to attack corporate partners, there is always something of value."

The research also found that employees working from home have an average of 11 IoT devices on their home networks, while 24% have connected at least one of these devices to their enterprise networks.

Paul Simmonds, CEO, Global Identity Foundation, said: "The study highlights the need to be able to build security and identity into the IoT in a standard way so that IoT devices can be on-boarded into whichever environment is required – home, business or national critical infrastructure. A plethora of cloud-based solutions unique to each manufacturer, suppler or even device will lead to chaos and insecurity.

The research comes as IDC expects more than 28 billion IoT devices to be installed by 2020, up from an estimated nine billion today.